RSA SecurID Breach Blamed on Phishing Campaign


A targeted phishing attack appears to have been at the center of the RSA SecurID breach revealed last month.

On April 1, officials with RSA, the security division of EMC, broke weeks of silence and disclosed more details about the incident. According to RSA, the attack began with phishing e-mails armed with a malicious Excel file that exploited an Adobe Flash Player vulnerability. The e-mails were sent to two small groups of employees during a two-day period, Uri Rivner, head of new technologies for consumer identity protection at RSA, explained in a blog post.

“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” he wrote. “It was a spreadsheet titled ‘2011 Recruitment plan.xls.’ The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.”

From there, the attack installed a remote administration tool called Poison Ivy, which is used to permit external control of a compromised computer. According to Rivner, after harvesting access credentials from the infected systems, the attacker performed privilege escalation on non-administrative users in the targeted systems and attempted to gain access to “key high value targets,” including “process experts and IT and non-IT specific server administrators.”

“In the third stage of an APT (advanced persistent threat), the goal is to extract what you can,” he wrote. “The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction. The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider.”

The files were later pulled by the attacker and removed from the external compromised host to remove any traces of the attack, he added.

RSA did not disclose any new details about what was actually taken. When the breach was first reported publicly, EMC Executive Chairman Art Coviello wrote in an open letter to RSA customers that the company’s investigation discovered some of the information stolen was related to RSA’s SecurID two-factor authentication products. At the time, Coviello stated that the extracted information could not enable a successful direct attack on any of RSA’s SecurID customers.

Ironically, the company gave credit to using its implementation of NetWitness – which it acquired April 1 -- to detect the attack, but was still unable to stop it before damage was done, noted Gartner analyst Avivah Litan.

“The irony though with RSA is that they don’t eat their own dog food,” she blogged. “In other words, they relied on yesterday’s best of breed tools to prevent and detect the attack. They gave a lot of credit to NetWitness for helping them find the attack in real time but they obviously weren’t able to stop the attack in real time, which means the signals and scores weren’t high enough to cause a person to shut down the attack in real time.”

Still, Sophos Senior Security Consultant Carole Theriault commended RSA for releasing more details of the incident, and noted RSA was not the first to fall victim to this sort of attack, and it won’t be the last.

“No matter what technology you have in place, the vulnerability that all businesses can't get away from are employees,” she blogged.